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Information Commissioner's Office 


The Information Commissioner’s response to the Financial 
Conduct Authority’s call for input on open finance 


The Information Commissioner’s Office (ICO) has responsibility for 
promoting and enforcing the General Data Protection Regulation (GDPR), 
the Data Protection Act 2018 (DPA18), the Freedom of Information Act 
2000, the Environmental Information Regulations 2004 and the Privacy 
and Electronic Communications Regulations 2003 (PECR), amongst 
others. We are independent from government and uphold information 
rights in the public interest, promoting openness by public bodies and 
data privacy for individuals. We do this by providing guidance to 
individuals and organisations, and taking appropriate action where the law 
is broken. 


The ICO welcomes the opportunity to respond to this call for input. We 
have positive, ongoing engagement with the implementation of open 
banking, providing advice on the interactions between the GDPR and the 
revised Payment Services Directive (PSD2) and collaborating on the 
content of customer journey guidance for third-party providers. 


We have also supported Ofcom with its initial proposal for open 
communications, drawing on the lessons learnt from open banking to 
assist in identifying key data protection issues from the outset of the 
project. 


The Information Commissioner recognises that innovations in finance are 
becoming increasingly data-driven, and she is broadly supportive of any 
initiative within the financial sector which gives individuals more control 
over their personal data. 


Q2: We are interested in your views on what open banking 
teaches us about the potential development of open finance 


Open banking as a concept was created in response to the Retail Banking 
Market Investigation Order 2017, implemented by the Competition and 
Markets Authority (CMA) to address issues with competition in the 
personal current account and small- and medium-sized enterprise banking 
markets. 


The Open Banking Implementation Entity (OBIE) is tasked with fulfilling 
this Order, including the delivery of the Application Programming 
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Interfaces (APIs), creation of the Customer Experience Guidelines and 
principles for participating firms. 


The OBIE views the GDPR as being central to the implementation of the 
open banking protocols, inviting the ICO to be a member of the OBIE 
Steering Group and attend meetings and workshops. This close, regular 
engagement allows us to provide expertise in a timely and effective 
manner across a broad range of matters including transparency, fairness, 
and customer experience. 


We would encourage a similar approach in the development of open 
finance. Structured cooperation has enabled us to keep apprised of 
advancements and concerns at an early stage, which has helped the OBIE 
address data protection risks in an efficient and effective manner, and has 
helped us learn more about the practical challenges of innovating in the 
financial services sector. If businesses within the ecosystem require 
advice about privacy and data protection, our experience is that it is 
beneficial to give this input at the earliest available opportunity to embed 
it into the innovation process - known in the GDPR as a ‘data protection 
by design and default’. 


Q4: Do you agree with our assessment of the potential benefits of 
open finance? Are there others? 


We agree with your assessment of the potential benefits of open finance. 
In addition, open finance is potentially an excellent opportunity for raising 
awareness of data protection and how personal data is processed, both 
for both the consumer and the businesses involved. 


Making people aware of what is happening to their data, who is 
processing it and why empowers the consumer to become ‘data aware’ 
and make good decisions. 


Ensuring that individuals’ rights are built into new technology and 
governance procedures can enhance public trust in new products, as well 
as helping businesses to meet their obligations through developing a 
practical understanding of the requirements of data protection legislation. 


Q8: Do you consider that the current regulatory framework would 
be adequate to capture these risks? 


As is currently the case with regulated financial services activities, it 
appears likely that firms will have to comply with both financial services 
regulations and data protection legislation within an open finance 
ecosystem. 
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The current UK data protection regime is relatively new, and will continue 
to evolve.. The ICO will continue its role in promoting, guiding and 
enforcing as we do with open banking and other novel schemes where 
personal data is being processed. 


Q14: What functions and common standards are needed to 
support open finance? How should they be delivered? 


In our work with open banking we have encountered challenges with 
overlaps in terminology which have needed careful management. For 
example, the term ‘explicit consent’ has differing meanings between the 
GDPR and PSD2, which has the potential to cause misunderstandings and 
has had to be thoroughly explained in published guidance for firms. 


It would be useful to be able to work on terminology and concepts at an 
early stage to avoid further potential overlap between existing data 
protection terms and those proposed for use in open finance. 


Q17: Do you agree that GDPR alone may not provide a sufficient 
framework for the development of open finance? 


The GDPR specifically applies to the general processing of personal data 
rather than providing for any specific sector. Because of this we are keen 
to avoid any inadvertent ‘gold plating’ of existing rights and standards 
under the GDPR. 


In relation to generic data processing, our Regulatory Action Policy 
outlines how the ICO upholds individuals’ rights in the digital age. If a 
status quo is maintained and no further framework is introduced, we will 
continue to regulate as necessary using our current approach. 


Should the GDPR prove not to be sufficient, any additional regulations or 
laws should be focussed on mechanisms of open finance. 


We anticipate working with all parties to ensure alignment between data 


protection legislation and any new frameworks, and we are keen to help 
stakeholders work through any inconsistences that may arise. 


Q18: If so, what other rights and protections are needed? Is the 
open banking framework the right starting point? 
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Our work with the OBIE has been complementary to our regulatory aims, 
and on that basis we consider the open banking framework to be an 
appropriate starting foundation in relation to the personal data elements. 


Q19: What are the specific ethical issues we need to consider as 
part of open finance? 


The ICO is currently exploring the synergies and differences between data 
ethics and data protection, and has appointed an advisor on a 12-month 
basis to better explore the nature of the ICO’s role in ethical issues. 


As the nature of open ecosystems is ultimately to foster competition, 
balancing this with the rights and freedoms of individuals will need 
consideration. We also believe that thinking around vulnerability will form 
a core part of the thinking around open finance, and we look forward to 
being involved in discussions in these areas as they relate to the 
processing of personal data. 


Q21: How should these set of principles be developed? Do you 
have views on the role the FCA should play? 


As a regulator for the financial sector, the FCA will have a lead role to play 
in developing these principles. The ICO already works in close and 
collaborative fashion with the FCA and enjoys a positive relationship in 
relation to data processing in innovative products and services. We would 
expect this to continue as and when relevant activities take place. 
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